Pandemic-driven structural shifts in cybercrime and cybersecurity

Lessons from our 4x4 Virtual Salon — Cybercrime & Fraud in the age of COVID-19

Behind every aggravating headline that refers to cybercrime and its implications, there’s a group of IT or security specialists struggling to deal with an overwhelming number of burning priorities.

We have great empathy for them and so we wanted to identify the key focus points they can use to strategize or to build their business case when talking to C-level execs.

During our second 4 x 4 Virtual Salon, we unearthed essential observations that can steer organizations through decisions anchored in reality — as we live it today.

The guests

Our generous guests contributed their experience, wisdom, and expertise, offering insights that can only be derived from intense, long-term practice.

• Jordan Brandt — CEO, Inpher
• Yuval Porat — CEO, Kazuar
• Paddy McGuinness CMG OBE — Senior Advisor at Brunswick, Former UK Deputy National Security Advisor
• Mohamed Ourdane — Head of Cybersecurity, POST Luxembourg

4 x 4 Virtual Salon - Cybercrime & fraud in the age of COVID-19 | aperture

New behaviors, new cybercrime vectors

Cybersecurity has always been a challenge with many moving parts. What’s different now is that some of these parts have fundamentally changed.

The security baseline in organizations everywhere has transformed. All our guests — and the broader information security community — agree that the processes and the technology in use were designed for different conditions.

“New attack vectors and methods prey on these new patterns of behavior and the old protection models are not detecting these new patterns (e.g. our travel patterns have changed, our online spending patterns have changed).”

Jordan Brandt, CEO Inpher

Throughout this turmoil, it’s important to remember the work happening behind the scenes, where specialists are stretching themselves to ensure companies keep working — safely.

“There’s been some heroic work done by IT teams and network providers in fixing the network and delivering endpoints so that people could work from home.

IT security teams, IT provisioning teams have had to work in new ways and it’s been harder to deliver the same results.”

Paddy McGuinness CMG OBE, Senior Advisor at Brunswick, Former UK Deputy National Security Advisor

It takes us back to think how the world looked when Verizon published their famous Data Breach Investigations Report at the beginning of 2020. Pre-pandemic trends had a big focus on network vulnerability and debunked the illusion that nation-state or state-affiliated actors were the main culprits for data breaches.

Unsuspecting of what would follow, the report identified two causes for data breaches that have now become major issues cybersecurity and IT specialists have to deal with:

• In 2019, cloud-based web applications attacks doubled, causing 43% of data breaches
• Last year, 67% of breaches were caused by credential theft (through phishing and BEC — business email compromise), errors, and social attacks.

This increased focus on social engineering is how cybercriminals are exploiting the sudden shift in consumer behavior combined with a general climate of fear, uncertainty, and doubt.

As an expert deeply rooted into the reality of keeping both companies and critical state institutions safe, Paddy McGuinness highlights some of the things that make you more vulnerable to manipulation without your knowledge:

“I have been more susceptible to social engineering in this period. Clicking to see the interesting video. Clicking on a link and see what money I can get from the Treasury. Clicking on a link to understand what one of my employers is doing. So all of those factors mean there’s been a period of heightened risk of social engineering.”

Paddy McGuinness CMG OBE, Senior Advisor at Brunswick, Former UK Deputy National Security Advisor

What’s more, malicious actors are taking full advantage of mobile devices and the limited visibility they provide over links, for example, especially for the untrained user.

“People are used to phishing via email, but there’s an inherent trust in SMS. It’s easier to phish people with an SMS containing the same link.”

Mohamed Ourdane, Head of Cybersecurity at POST Luxembourg

With smartphones being the main way people access and consume information, no wonder financial services have seen a massive surge in identity theft, especially since governments are supplying financial stimulus.

This accumulation of rapid-fire transformations and the ferociousness — and volume — of opportunistic attacks has:

“… highlighted the need for information sharing, not only within the industry but across industry verticals because these attacks are being used across networks.”

Jordan Brandt, CEO Inpher

Collaboration and information-sharing was a core topic in our virtual salon, emerging both in our guests’ observations and in questions from participants. That’s why this powerful statement will likely stay with us for a long time:

“We are fighting a criminal network, so we need to act as a network to fight a network.”

Jordan Brandt, CEO Inpher

Can’t live without it? Cybercriminals will target it

Mohamed Ourdane, Head of Cybersecurity at POST Luxembourg, has seen a sharp rise in attacks specifically targeting health organizations researching a COVID-19 vaccine, likely motivated to steal information. He’s also seen malicious actors targeting hospitals to impede or paralyze the country.

The global focus on developing a vaccine for the virus also attracted well-funded, highly-skilled criminal organizations that specialized in targetting other industries:

“Ransomware firms that were targeting the financial sector and some others in the higher-value manufacturing sector have switched to healthcare.”

Paddy McGuinness CMG OBE, Senior Advisor at Brunswick, Former UK Deputy National Security Advisor

“Critical infrastructure is part of the value chain”, Mohamed Ourdane (Head of Cybersecurity at POST Luxembourg) says, and cybercriminals may also attack it as a way to reach other organizations or sectors. This has far-reaching effects, as public and private organizations depend on each other to survive this demanding time for everyone.

“If you are critical infrastructure, it’s very important to be prepared, not only in terms of visibility, but in terms of being able to react, not only because it concerns you, but because it concerns the entire economy.”

Mohamed Ourdane, Head of Cybersecurity at POST Luxembourg

Cybercriminal networks know that putting their victims in an impossible situation is how they’ll get the biggest pay-off, either through extortion, data exfiltration, or diverting money to their own accounts.

You’re just as vulnerable as your partners are

Most companies think malicious hackers won’t target their organizations. We even saw this in answers to one of the polls we ran during the virtual salon.

But this commonly-held belief couldn’t be farther from the truth. Just ask a cybersecurity specialist (we did!). Because most decision-makers think being in the crosshairs of bad actors is a matter of direct cause and effect, they often miss the secondary implications.

“If you have a relationship with an organization, which is itself vulnerable and is being targeted, you become the target. […] There’s real danger in a line of thinking that says ‘we can manage this risk down and manage our spending an effort down because we’re not a target’.”

Paddy McGuinness CMG OBE, Senior Advisor at Brunswick, Former UK Deputy National Security Advisor

“You cannot build resilience on your own. If you are resilient and your partner, which is a critical partner, is not resilient, then you are not resilient either.”

Mohamed Ourdane, Head of Cybersecurity, POST Luxembourg

4 x 4 Virtual Salon — Cybercrime & fraud in the age of COVID-19 | aperture

What the cybercrime economy dynamic means for companies

On top of the “we’re not a target” myth, there’s also a disadvantageous contrast between what companies think of their security posture and the difficult day to day reality.

“[…] you have organizations that are presenting to their board spreadsheet, showing they’re green in terms of their understanding of what’s happening to them.

And yet we have dwell time, the length of time that people are sitting inside your networks. And that dwell time in Europe is averaging 90 days. So if you catch something early, someone else has had presence in their network for maybe, you know, months, possibly a year.”

Paddy McGuinness CMG OBE, Senior Advisor at Brunswick, Former UK Deputy National Security Advisor

“There are a lot of attacks being conducted without even any kind of awareness of the victims in a very sophisticated way. And one of the most interesting things is that these attacks can be conducted without even leaving fingerprints.”

Yuval Porat, CEO Kazuar

This happens because, in the past 5 years, offensive know-how, tactics, and technology from some of the advanced state organizations have been constantly leaking into the underground economy.

“We’re seeing today a very significant involvement of state actors — sophisticated state actors — in attacking businesses. And in parallel, [we see] what we’ve defined as a proliferation of offensive capabilities, moving from the state level to highly sophisticated, global criminal organizations.

And, given this understanding, we’re going to see businesses exposed to completely new kinds of attacks. […] Not attacks by small groups of hackers, but highly sophisticated operations with very impressive operational capabilities, planning, resources, and technological capabilities.”

Yuval Porat, CEO Kazuar

It’s no wonder companies, no matter how well-funded and technologically-advanced, have trouble keeping up.

“The reason that there was a massive proliferation of offensive capabilities from state actors to criminal organizations is because the ROI is great compared to other kinds of crime. So it’s a very efficient kind of crime, highly scalable.”

“Even before COVID-19 the belief, the idea that a highly sophisticated business organization can protect itself against a highly sophisticated, targeted attack was no more than a myth. Now it became even worse after COVID-19. The only way to deal with it on a strategic level.”

Yuval Porat, CEO Kazuar

Protecting the data, wherever it goes

One of these strategic concepts involves shifting away from perimeter-focused security and to a more flexible protection model.

“It comes down to focusing on protecting the data itself.

Of course you secure your network, but, as we’ve seen, as networks have expanded to work from home environments, as Patty mentioned, it becomes harder and harder to guarantee a perimeter security. So you have to focus on the data itself — who has access, who can see it. [There are] new technologies that enable you to protect data even during runtime, so the data can stay encrypted even while it’s being processed, so that bad actors can’t actually see any of that information.”

Jordan Brandt, CEO Inpher

To achieve this, you need more than just the technology, as Mohamed Ourdane (Head of Cybersecurity, POST Luxembourg) emphasizes. Organizations must invest in three main assets: strong skills, visibility capabilities, and data scientists. That’s because:

“We should be dealing with these things at machine speed. Human intervention means loss.“

Paddy McGuinness CMG OBE, Senior Advisor at Brunswick, Former UK Deputy National Security Advisor

The 4 factors that influence how accurately you evaluate your cyber risk

Paddy McGuinness CMG OBE, Senior Advisor at Brunswick, Former UK Deputy National Security Advisor, highlighted the four essential elements to factor into risk evaluations around cyberthreats and cyberattacks.

1. The limits of your knowledge.

“You’ve got to understand the limits of your knowledge. And the reality is that most people know some of what is happening on their networks and they learn a bit about what’s happening on other people’s networks in a number of ways.

In my practice, I see businesses in crisis, when they’re suffering from cyber incidents. The majority in Europe do not want to go public about the fact that they’re having a difficulty and almost none are willing to share the nature of the difficulty.”

“You’ve got to understand that there are known unknowns, and that means that your risk calculation needs to be weighted that way.”

2. The limits of your controls.

“Now boards are looking at controls. And there are all sorts of hygiene factors in a business for cybersecurity and executive committees and boards are looking at them closely.

We’ve just been through a period where I would guess that audit and risk committees have not been meeting. And we’ve had the biggest change at speed in company IT that we’ve had in generation at least. […]

Well, there’s not a whole load of work for those risks and audit committees and IT security committees and CISOs all the rest of it to go back and look at.”

3. The sources of your organizational vulnerability

“Almost the most important thing for the cost-benefit analysis is understanding your organizational vulnerability.

Because organizational vulnerabilities might be that you’re undercapitalized and you’re under strain and therefore you haven’t got the money at the moment to deal with a major issue. Or you might be under a merger and acquisition interest.”

4. The plausibility of your plans

“A number of businesses I go into base their cyber security, their risk mitigation plans upon an assumption: that they’re going to be able to grow their skilled workforce.

It’s not possible — a massive increase in cost for a business to solve all the cyber skills it needs. And it’s not possible for all businesses to do it by definition, because there’s a limited pool of skilled people.”

4 x 4 Virtual Salon — Cybercrime & fraud in the age of COVID-19 | aperture

The driver behind cyberattacks can also be the solution

“I think COVID is a driver for it [cybercrime], but the real driver for it is the available technology.”

Paddy McGuinness CMG OBE, Senior Advisor at Brunswick, Former UK Deputy National Security Advisor

And while cybercriminal networks are very adept at sharing information, technology, and tactics, defenders have not yet reached that level of collaboration, hindering their efforts.

Sometimes, cybersecurity specialists and organizations look at law enforcement agencies to inspire and support this collaboration, but, in reality, they can’t fill the gap by themselves.

“There is very little that law enforcement agencies can do for us given the transnational nature of crime and the fact that they are under-resourced and under-capable.

They remind me a bit from my history books of what armies were like going into the First World War, where they thought they were going to rely on cavalry and the cavalry were of no use.

Local agencies, on the whole, simply don’t have the capabilities to deal with it.”

Paddy McGuinness CMG OBE, Senior Advisor at Brunswick, Former UK Deputy National Security Advisor

So how can organizations — either private or public — cope with the responsibility of dealing with all these issues on their own, not being able to rely on external bodies, governments and law enforcement agencies?

Building cyber-resilience to support business continuity

Bullet-proof security was never an attainable objective. It’s time to replace it with a realistic goal and cyber-resilience seems to be it, according to our guests.

“COVID-19 changes a lot in the expectation of resilience from all businesses. No business can be blamed for the fact that it didn’t have a detailed plan for a once-in-a-hundred-years pandemic turning up at the beginning of 2020. […] But that’s the only free pass you get. The expectation is now that you’re going to be resilient.”

Paddy McGuinness CMG OBE, Senior Advisor at Brunswick, Former UK Deputy National Security Advisor

Since “data and identity are the key pillars of this digital transformation” as Mohamed Ourdane (Head of Cybersecurity, POST Luxembourg) says, then Jordan Brandt (CEO, Inpher) suggests defunding cybercriminals as an effective method to curb attacks:

“The best way to fight cybercrime is to take away how they make their money.”

To mitigate the risks associated with processing and managing sensitive data without introducing too much friction, our guests suggested a priority-focused approach. Knowing you can’t protect everything can help you have a bigger impact by protecting what you can — and should:

“It’s important to be able to identify the most important assets inside the organization.”

Yuval Porat, CEO Kazuar

“It’s about understanding which elements of your data are absolutely critical to the value and standing of your company, about being clear what you’re going to really defend and what you’re not.”

Paddy McGuinness CMG OBE, Senior Advisor at Brunswick, Former UK Deputy National Security Advisor

Once you know what your key assets are — the crown jewels — you can look at technology especially designed to keep them safe.

“Secret computing is really an umbrella term for encryption-in-use technologies. […] It allows you to keep data encrypted while it’s being computed. It sounds like magic but the math does exist to allow us to extract information without actually seeing the data.”

Jordan Brandt, CEO Inpher

The tech is here to help companies share information to advance their understanding of attack vectors and cybercriminal tactics and also to unlock new opportunities for value creation, as this WEF whitepaper highlights.

“As we work towards more automation, there’s less and less human intervention and the data can remain encrypted — no decryption — which helps to solve this problem, meaning it is not impossible if the data is encrypted and always remains encrypted. No bad actor can access that.“

As we work towards more automation, we reduce the need to ever make data vulnerable in the first place.”

Jordan Brandt, CEO Inpher

Eager to explore more structural shifts and their practical impact?

Keep an eye on our updates on LinkedIn, where we announce new events from our Virtual Salon series and also podcast episodes and articles that might just trigger your next a-ha! moment.